If you need a lightweight intrustion detector for smaller networks, Snort runs under UNIX/Linux or Windows, packs a punch, and takes just minutes to install.

Designed to fill the gap left by expensive, heavy-duty network intrusion detection systems, Snort is a free, cross-platform packet sniffer, logger, and intrusion detector for monitoring smaller TCP/IP networks. It runs on Linux/UNIX and Win32 systems. It takes mere minutes to install and start using it.

Snort has three primary modes: packet sniffer, packet logger, or full-blown intrusion detection system. In the grand tradition of open/free software, it supports all manner of plugins, extensions, and customizations: database or XML logging, small fragment detection, and statistical anomaly detection. Packet payload inspection is one of Snort's most useful features. This means many additional kinds of hostile activity can be detected.

Snort.org provides RPMs and tarballs. Normally I recommend building from source, but I had problems with the tarball of the latest stable version, 1.8.6. As the deadline for this article loomed mercilessly over me, I didn't have time to figure out if I did something foolish, or if it was Snort's fault. The RPM installed flawlessly.

For Snort to work, libpcap must be installed on your system, and most likely is. Use locate to check:$ locate libpcap

If it is not present, get it from tcpdump.org, or your Linux installation disks.

It is unwise to install a security product without verifying the signature. Verify the checksum of your download:# md5 snort-1.8.6.tar.gz
or# md5 snort-1.8.6-1snort.i386.rpm

Unpack the tarball:$ tar -xvzf snort-1.8.6.tar.gz

Install as root:# ./configure
# make
# make install

That's the simple generic installation. Some options are make check, to run Snort's pre-installation self-tests; make clean removes binaries and object files from the source code directory. It even has a make uninstall option for clean removal.

Other installation options, used with ./configure:
--with-snmp
Enable SNMP alerting code
--with-mysql=DIR
Support for mysql
--with-postgresql=DIR
Support for Postgresql databases
--with-openssl=DIR
Support for openssl

This creates a separate directory for each host. To dump everything into a single binary, tcpdump-formatted file, use the -b switch:
# snort -l /var/log/snort -b

It is unecessary to specify any other options, parse the output of this file as you need with either Snort's built-in options, or use tcpdump, or ethereal. -r reads and processes the file:# snort -vder /var/log/snort/snort-0629@1600.log

See man snort or tcpdump for more options for the Berkeley Packet Filter.

Network Intrusion Detection Mode
Now we get into the real Snort power tools. Take a look at /etc/snort/snort.conf, the global configuration file. Snort rulesets are also in /etc/snort, in plain text files. The impatient can uncomment this line and be up and running right away:var HOME_NET $eth0_ADDRESS

This initializes Snort to the network configuration of the local NIC.

For speed, logging every single packet and writing to the screen won't work. Packets will be dropped and logfiles will balloon. Drop the -v switch so it won't write to the screen, and we can probably live without -e, data link headers:# snort -dl /var/log/snort -h 192.168.1.0/24 -c /etc/snort/snort.conf

-h means home network, -c means use ruleset, followed by the path. This is NIDS at its most basic, logging packets as defined by the rules, in plain ASCII. Use the -b switch to log to a binary file. Notice that defining the subnet range uses CIDR notation, Classless Inter-Domain Routing.

Where do these mysterious rulesets come from? Two sources: from Snort.org, included in the RPM or download the binaries, or write your own. Martin Roesch, the creator of Snort, designed it for speed in all areas: installing, running, and responding to new attacks. If you have the ability to analyze an attack and recognize a unique signature, you can write a rule to find and log it. See the SnortUsersManual.pdf that comes in your download for an excellent tutorial on writing custom rules. (All docs are available online as well.) Snort.org posts updated rulesets daily, download to your heart's content. Use snortpp, available from the snort/contrib directory on snort.org, to merge new ruleset files.

Where To Put It
If you have the time and resources, putting Snort on each side of a firewall can be most enlightening. Comparing what is hitting your firewall to what makes it through can be hair-raising, it really is astonishing how much malicious traffic is traveling the Internet. Running a single Snort box behind a firewall adds a layer of protection and is easier to manage, simply because of the lower data volume.